Hi,
I have two sourcetypes forwarded to an index, but I just want to delete one of the sourcetypes from this index. What is the approach? thks
hi newbiesplunk ,
if your index has one sourcetype , you can remove once the index using the next command splunk clean -index ‹indexname›
You won't able to delete partial data once data is indexed. Either you have to clean index data or follow above recommendation.
hi,
your index How sourcetype?
please forgive my english
hi, i saw there is a rebuild index function (splunk rebuild ), can i use for my case? thks
use this search
index=indexname sourcetype=sourecetypename|delete
this will not delete the data from the sourcetype but you will not see any data from this sourcetype in search
Hi, I know this search but i need to remove it permanently from the index, what will be the advise? thks
When you delete the data via the | delete command, this marks the buckets as unsearchable and this data will be aged out via the retention period of the index.
Aside from this, you need to modify your inputs to make sure that data source isnt sent to this index anymore.
Why isnt this sufficient for your use case? Data will not be visible to user or available to search, so for all intensive purposes, the data is deleted.